Jackson's comments, commiserations, confabulations and simplifications on identity management and Microsoft's Active Directory all based on his continuous "reality tour" of meetings with customers, ISVs and Microsoft.

Friday, November 19, 2010

The Great Cyberheist–Would proper identity management have helped?

This an excellent New York Times article on how the FBI cracked the biggest ring of hackers who trafficked in databases of stolen card accounts and devices like magnetic strip-encoders and card-embossers. If you are interested in how this is done or if you have ever had your ATM or credit card re-issued by your bank for security reasons then you may want to read this article. As I read it there were a few places that I thought an effective IAM/IDM strategy would have helped.

Within 10 minutes we were on their computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators.

Wow, clearly a privileged account management problem that could have been solved via software, smartcard use for administrators or better control of group memberships.

Scott cracked the Marshalls WiFi network, and he and James started navigating the system: they co-opted log-ins and passwords

Last login date; more effective provisioning and de-provisioning may have helped prevent this. Of course, if Marshalls would have bothered to implement 802.1X security rather than having “open” wireless access points this may never have happened to begin with.

He was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection.

I’m not a SQL expert but these guys accessed SQL databases to get their information. Whether they did this with privileged accounts or not is unknown but clearly a file/database security monitoring tool or potentially something that managed privileged accounts (SQL or domain accounts) may have prevented this type of access or at least alerted people to the access issues.

And one last pointer from the article: Beware of people sitting in cars, with laptops and giant antennas!

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not represent those of my employer or anyone else for that matter. View this blog's privacy policy here.16 CFR § 255.5 disclosure: I am an employee of Quest Software.